Skip to main content

Responses are generated using AI and may contain mistakes.

Log StreamLog Stream Guide

Reserved Fields

The chart below lists the a set of reserved fields that cannot be used for mapping fields when configuring conditions in Log Stream. There are two situations in Log Stream where these fields are restricted from use:

  • Parser Field Extraction – During parser creation in Log Stream, when defining how a parser should extract value from a raw log, you can decide which fields to extract value from and how to map them to Exabeam fields. The set of reserved fields listed below may not be used for building mapping extracted field values.

  • Enrichment Rules – When building custom enrichment rules on the Enrichments tab in Log Stream, you can build conditions that will map field data from raw logs to Exabeam common information model (CIM) fields. The set of reserved fields listed below may not be used for configuring this field mapping.

_metadata_version

activity_type

activity

agent_ephemeral_id

approxLogTime

builder_name

cimCompliant

collector_timestamp

coreFieldsMissed

dest_device_entity_id

dest_user_entity_id

detectionFieldsMissed

fields

fieldTypesVersion

id

ingest_time

ioc_domain

ioc_email

ioc_ip_v4

is_ioc

landscape

legacy_activity_type

log

msg_type

outcome

parsed

parser_version

platform

product_category

product

raw_log_size

raw_log_time_format

raw_log_time

rawLogIds

rawLogs

security_criticality

site_id

source_device_entity_id

source_user_entity_id

subject

tier

type

vendor

xml

In addition to the list above, fields that begin with the following prefixes also cannot be used:

  • exa_

  • m_ (Exception – The following metadata fields can be used for mapping fields when building enrichment rules but not when defining parser field extractions: m_tags, m_site_id, m_site_name